ae1af6a568
Bug: v8:8394, v8:8801, v8:9183 Change-Id: I29ff1a6dda97e89335b30fcc8c380bcb4055e1fb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664690 Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#62254}
36 lines
643 B
JavaScript
36 lines
643 B
JavaScript
// Copyright 2014 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var dummy = {foo: "true"};
|
|
|
|
var a = {y:0.5};
|
|
a.y = 357;
|
|
var b = a.y;
|
|
|
|
var d;
|
|
function f( ) {
|
|
d = 357;
|
|
return {foo: b};
|
|
}
|
|
%PrepareFunctionForOptimization(f);
|
|
f();
|
|
f();
|
|
%OptimizeFunctionOnNextCall(f);
|
|
var x = f();
|
|
|
|
// With the bug, x is now an invalid object; the code below
|
|
// triggers a crash.
|
|
|
|
function g(obj) {
|
|
return obj.foo.length;
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(g);
|
|
g(dummy);
|
|
g(dummy);
|
|
%OptimizeFunctionOnNextCall(g);
|
|
g(x);
|